In November 2023 at Microsoft Ignite, we announced the integration of Microsoft Sentinel with Microsoft Defender XDR into the unified Microsoft Defender portal. Fast forward, in July 2024 we announced this integration GA, and in July 2025 we announced the Microsoft Sentinel experience will be retired in the Azure portal on July 1, 2026.
As we introduced the new portal experience, many customers naturally had questions, particularly around permissions. Common concerns included: How will permissions be managed going forward? What changes should I expect with my existing Azure permissions? And do I still need the Microsoft Sentinel Contributor role? In this post, we break down the answers and clarify what the transition means for you.
Microsoft Sentinel SIEM permissions
In the Azure portal, we use Azure RBAC permissions to manage access to Microsoft Sentinel. We’ve documented all roles and related permissions in our guidance here:
Roles and permissions in the Microsoft Sentinel platform | Microsoft Learn.
These permissions will not change in the new unified portal. To access incidents that have Microsoft Sentinel SIEM as detection source for alerts, query Microsoft Sentinel tables in Advanced Hunting, or to access Microsoft Sentinel menu, you will need the same permissions as in the Azure portal. For example:
- to read Microsoft Sentinel data, Microsoft Sentinel Reader
- to respond to incidents and create Automation rules, Microsoft Sentinel Responder
- to be able to execute playbooks on incidents manually, Microsoft Sentinel Playbook Operator.
Today, if you have permissions to see Microsoft Sentinel logs, incidents, etc. in the Azure portal, you will be able to see those in the Defender portal.
Microsoft Defender XDR permissions
For Microsoft Sentinel customers who previously worked exclusively in the Microsoft Sentinel Azure portal for investigation and triage and were not using the Defender XDR portal, this is where they may notice a change.
To be able to access any Defender XDR features (alerts from sources other than Sentinel, such as MDE/MDO/MDC,…, XDR tables in Advanced Hunting, etc.), you will need the appropriate Entra ID built-in roles like Security Reader, Security Operator, Security Administrator or you will need to leverage Unified RBAC (URBAC). We recommend using Unified RBAC, as it restricts access to the Defender portal only, while global Entra ID roles grant much broader access across Microsoft portals, often more than you’d want to expose to the SOC team.
At this point, URBAC supports Microsoft Defender XDR, Exposure Management, Microsoft Defender for Cloud (experience in Defender portal), Security Copilot (for investigation and response in Defender portal), and Microsoft Sentinel data lake (default workspace). Microsoft Sentinel SIEM support for URBAC is coming soon!
Details about the permissions available to configure for your users based on the tasks they need to do are explained in this article – Permissions in Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn.
Minimum URBAC role to view and manage all Defender XDR incidents, alerts, and Advanced Hunting tables
To configure the minimum URBAC role required to view and manage alerts, as well as to query any Advanced Hunting table in the Defender portal, navigate to System > Permissions > Microsoft Defender XDR > Roles and create the following role:
- Security Operations > Custom permissions > Security data basics (read) and Alerts (manage)
Special considerations
- MDE – Device groups
If there are any Device groups configured under MDE permissions, then you need to edit their user access. This can configured under System > Permissions > Endpoints roles & groups > Device groups. Select the Device group you want to configure access for, and then select “User access” and add the Entra ID group of analysts.
- MDI Scoping
If you need to scope user access to see MDI data only from specific users (either different AD domains, or different OUs), you can use MDI Identity scoping. MDI Identity scoping is configured while you are creating the role assignment.
Examples of roles
Example 1 – I am a SOC Analyst that needs to access only Sentinel features in the Defender portal (detections on Sentinel data, raw data from Log Analytics, Workbooks, Automations, Content Hub, etc.). I don’t need access to any Defender XDR incidents, alerts, MD XDR tables, etc. What permissions do I need?
In this case, you will need only a Sentinel role (Microsoft Sentinel Reader, Microsoft Sentinel Responder, or Microsoft Sentinel Contributor) which needs to be assigned from the Azure portal.
If you need the ability to execute playbooks, you will also need the Sentinel Playbook Operator role assigned from the Azure portal.
In this case, the user will not have access to any Defender XDR incidents, alerts, XDR tables, or any other feature of Defender XDR.
Example 2 – I am a SOC Analyst that needs access to only Defender XDR features in the Defender portal (incidents, alerts, XDR tables, etc.), but I shouldn’t see any Sentinel incidents, alerts, tables, or any other Sentinel feature. What permissions do I need?
In this case, the user will need either global Entra ID role (Security Administrator, Security Operator, Security Reader, etc.) or an equivalent URBAC role. We recommend using URBAC as it gives access to the Defender portal only.
Example 3 – I am a SOC Analyst and I need access to all data, Sentinel and Defender XDR. In the Azure portal, I just needed a Microsoft Sentinel role, and I could see it all. Is it the same in the Microsoft Defender portal?
No. In the Microsoft Defender portal, to see data from Microsoft Sentinel and Defender XDR, you will need Sentinel permissions assigned in the Azure portal as described in Example 1, plus Microsoft Defender XDR permissions as described in Example 2.
Example 4 – I am a Sentinel only customer, I don’t have any Defender XDR licenses. Do I need to update my permissions?
You will need the Security Administrator or Global Administrator role to perform onboarding. After that, to continue using Sentinel in the Defender portal in the same manner you used it in the Azure portal, you don’t need any additional permissions.
Note: In this case, you will not have access to any native Defender Portal features like extended TI with Threat Analytics or Case Management, that can improve your overall SOC processes and experience.
FAQ
If I don’t have permissions to see data from specific standalone solutions like Sentinel, Defender for Endpoint or Defender for Identity, or I’m not scoped to see specific device groups, domains, or organizational units, what experience will I have when working with multi-stage incidents with alerts that I cannot see?
In this case, you will see the incident and only the alerts you have permissions to view. Example - if an incident has 24 alerts (for example MDE, MDI, and Sentinel alerts), but you have permission to see only 5 of them (for example only Sentinel alerts), you will see the incident with 5 alerts in it. Other 19 alerts (MDE and MDI alerts in our example) will be hidden until user is assigned permissions to see data related to these workloads (Entra ID built-in role or URBAC role).
There will be two indications that you cannot see the whole experience:
- Banner stating that you cannot see the whole experience – “This information is limited because of your current permissions. Contact a global administrator to change your permissions.”
- Manage incident option will be greyed out
Analysts in this case will have clear indications that they don’t have permissions to see the whole incident and because of that it will not have an option to manage the incident. Users will be able to manage alerts in the incident where the user has access to. Only user with permission to see whole incident, can manage incident itself.
What about managing multiple Microsoft Sentinel workspaces? Can I still apply permissions on workspace level?
Yes, as mentioned, we are not changing Microsoft Sentinel permissions, and if you apply permissions to only one workspace, users will see data for that workspace, even if you have additional workspaces onboarded to unified portal.
What about DLP incidents and integration in Microsoft Defender portal?
If you are using global Entra ID roles, no additional permissions will be needed to see this data. If you are using URBAC for Defender XDR, then we recommend creating Purview RBAC roles to give access to DLP related data in the Defender portal, as we federate Purview RBAC roles to Defender portal. DLP roles are not being managed by URBAC.
How can I move Global Entra ID roles to unified RBAC?
We have mapped the URBAC permissions required to have equivalent permissions to global roles in the Defender portal – Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions - Microsoft Defender XDR | Microsoft Learn
You can create equivalent permissions in URBAC, activate the workloads, and remove global Entra ID roles from the user.
Do I still need global Entra ID roles?
For specific actions and features, you will need Entra ID global roles. Example to connect Sentinel workspaces, change primary Sentinel workspaces, connect first-party connectors like Entra ID, get access to Microsoft Sentinel data lake, etc.
While we are in process to have most of needed actions available in URBAC, some components still require global Entra ID roles.
I’m still using legacy RBAC controls per standalone XDR product (Defender for Endpoint RBAC, Defender for Identity RBAC, etc.) Are they still supported?
Yes, they are still supported. But we urge customers to perform migration to URBAC so that they have all RBAC controls in one place. In docs, you can find information on how to import permissions that can help your transition. You can first migrate permissions from standalone RBAC to Unified RBAC, and only after that you should enable the workload in URBAC.
To help, we also created mappings of standalone roles permissions to URBAC - Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions - Microsoft Defender XDR | Microsoft Learn.
I have performed migration and enabled URBAC. What if I made a permission configuration mistake and need to switch back to standalone RBAC so that users are not blocked while my misconfiguration is fixed?
This is possible. You will just need to turn it off the toggle in URBAC and standalone RBAC will take over again. Once you configure properly, you can go back and turn the toggle back on.
I’m using PIM for Entra ID global roles. Can I use PIM for URBAC?
You can use PIM for Groups for URBAC. In this case, you create a group that you enable for PIM, and you assign URBAC permission to this group. Instead of performing PIM to specific role, users will perform PIM to the group to get access.
Does URBAC have available API?
Yes, under Microsoft Graph REST API Beta - rbacApplicationMultiple resource type - Microsoft Graph beta | Microsoft Learn.
I can audit Sentinel permissions in AzureActivity table, can I also audit URBAC permissions?
URBAC Audit is part of Defender XDR audit, and you can access it through Audit page in Microsoft Defender or Purview compliance portals.
You can also query CloudAppEvents table that will show us the records like around creation/edit/deletion of URBAC roles.
To query it, you can use this sample query as a starting point:
CloudAppEvents
| where RawEventData.Workload contains "URBAC"
Microsoft